Installing your own CA authority to force client authentication

I wrestled a while today with client authentication with CA Certs. Setting up a CA and signing certs with a CA is a little trickier than doing cert self-signing. Here's some details.

I ran into a lot of caveats doing this for the first time, so I thought I might record this for posterity. First, we have two servers. In this case, the whole point of this is an added layer o
f security for our server, we'll call it goliath. It has a web service running via apache, and we only want server david to access that service. We can do it with IP filtering, of course, but we
think down the road we may want to allow a different server access, and we want to add an additional layer of security even if someone somehow defeats an filtering in place.

A more likely reason to do this might be that you want to authenticate a browser. We're not going to go into that, because I did not need to install the client cert on the browser, but a lot o
f this will still be applicable.

Environment:

Apache 2 with mod_ssl

openssl

client host has openssl as well, and our goal is to get wget working

Step 1: Create a CA

You can edit your openssl.cnf if you like. Alternately, you can plan to specify the -config flag with a lot of your openssl commands. In my case, I'm using what I think was the default, which con
tains this line:

Caveat: I put in -startdate here. Why? When I did this, I was testing immediately, but I had one server on GMT and the other on Mountain time. Before I did this, the MST server actually th
ought the "valid from:" date was in the future. So when I did it over, I made sure to specify a startdate one day in the past.
The actual formula for the UTC date code would be, for example, for Jun 14th 2005 at noon:
050614120000Z
Back on david, we retrieve the cert:

# scp root@goliath:/var/tmp/david.crt .

Ok. Now, we need to configure our server. Wherever applicable (in my case, it was in conf.d/ssl.conf and in conf.d/goliath.domain.com.conf), we need to set up these lines:

Those all don't necessarily need to go together, but do put the SSLVerify lines directly under SSLEngine On.
Now, issue an "apachectl graceful" to get that config going.
At this point, back on david, you should be able to do the following:

I've put the bundle thing in there; again, you won't need the --ca-certificate flag if goliath's server ssl cert is signed up a CA recognized in the wget default CA bundle.
Now, more importantly, if you remove the --certificate and --private-key parts, that wget should FAIL, giving you an error something like this:

Because, of course, goliath rejects you if you don't have that client cert it has signed.
Anyhow, that's it. Hope someone finds that useful, as I had to waste a couple hours figuring out all the ins and outs.

Long have I awaited the coming of that which was foretold... George RR Martin's Feast For Crows. Yes, it's the 4th book in the series, and it is like crack. I want that book. But UPS lost it. It shows... Read More

Search

About The Author

Matt Wallace is a cloud computing architect, and recovering Web Application Developer working on a large e-commerce site
and dabbling in social networking applications. He has recurring dreams of manipulating
the real world with jQuery.